top | item 32987622

(no title)

str4d | 3 years ago

> But if I recall, it seems that the age key file itself is 128 bits! Thus in the symmetric mode, Age provides only 128 bits of security. This is substandard, and in particular secure only until 2035 or so.

This is not the case. To meet NIST's Category 1 requirements, post-quantum cryptography "must require computational resources comparable to or greater than those required for key search on a block cipher with a 128-bit key (e.g. AES128)" [0]. It is therefore completely appropriate to pair any Category 1 post-quantum KEMs with 128-bit symmetric keys. See [1] for more details about post-quantum age. Symmetric passphrase age similarly is fine because it's the same as the post-quantum KEM case but without the KEM.

[0] https://csrc.nist.gov/projects/post-quantum-cryptography/pos...

[1] https://words.filippo.io/dispatches/post-quantum-age/

discuss

aborsy|3 years ago

I am not sure if I follow.

A symmetric key of length 128 bits has only 64 bits of security with quantum computers. The age developer mentioned this in a GitHub issue (although I think the fact that the security level is only 128 bits is very important and shouldn’t have been tucked away in the GitHub issues brought about by someone else; it should have been highlighted in the documentation, which doesn’t mention the security guarantees).

Here is part of the code, considering that the file key is 128 bits.

salt = ephemeral share || recipient info = "age-encryption.org/v1/X25519"

shared secret = X25519(ephemeral secret, recipient) wrap key = HKDF-SHA-256(ikm = shared secret, salt, info)

body = ChaCha20-Poly1305(key = wrap key, plaintext = file key)

andreareina|3 years ago

Doesn't Grover Search make the problem half the bits easier?